The website offers few details on the compromise, so far, other than that it involves "credit and debit card data reportedly stolen from some our our restaurants." This wording has caused many experts to conclude that the breach occurred in P.F. Chang's point-of-sale (POS) systems, though the chain has not confirmed this conclusion. P.F. Chang's says it has reverted to a manual card imprinting system at all of its China Bistro-branded restaurants in the US until the investigation is complete.

The incident was not discovered by internal security staff, but was reported to the restaurant chain by the Secret Service on June 10, the website says.

Industry observers noted that the breach is another in a long line of data compromises that have occurred in the retail industry over the past year, including incidents at Target, Neiman-Marcus, and the Sally Beauty retail chains.

"This isn't surprising," says Philip Casesa, director of IT/service operations at (ISC)2, a leading association of security professionals. "In fact, it seems to follow the same MO as the Target and Sally Beauty attacks,where point-of-sale machines with traditionally weak security were targeted. Large retailers maintain centralized connections to these machines for updating, and an attacker can exploit that to distribute malware efficiently and collect large swaths of magnetic stripe data from the cards. Without proper detection of this malware on the retailer's part, these breaches can run almost unfettered until the attackers have enough or their exploit window is somehow closed."

"Going to the use of carbon forms together with payment information isn't as crazy as it sounds," says Dwayne Melancon, CTO at security firm Tripwire. "After all, if you're not sure which of your data systems you can trust, why would you put even more data into those systems?

"Carbon forms aren’t practical in the long term, though. The risk in paper-based collection is that many retailers no longer have effective processes or employee training designed to secure, monitor, and control physical card slips. A paper-based approach may reduce one specific type of risk, the risk still exists; the data protection problem has just changed form."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Card technology needs to be impoved dramatically. It will be a huge investment but the greater security and less chance of data loss will benefit all in the long run. How many more retailers getting hit will it take for everyone to get the hint that something must change?

I would like to point out that more secure credit/debit cards do not have raised numbers. It is all printed directly on the card. Cards that contain this feature do not leave traceable imprints on a person's receipts or card sleeve inside their wallet or purse. Simply sketching a pencil and paper over the imprinted object reveals it all. This is all accomplished with out the physical card.

It's more than the security of POS systems we need to be concerned about.